The “GD” GDPR: European Union Data Privacy and Protection Regime

The New Rules of Data Privacy and Protection

You’ve probably heard the letters GDPR everywhere lately. “What do they mean and why do I have to care?” is probably your common response. This article seeks to provide you with an overview of the new data privacy and protection regime that will help you answer both of those questions.

Data Privacy and Protection: What is the GDPR

The GDPR stands for General Data Protection Regulation. It is the new European Union data privacy and protection regime that went into effect on May 25, 2018. It is designed to provide people located in the European Union with greater protection of their personal data and it seeks to punish companies that fail to comply with the rules.

The European Union (EU) already takes its members’ personal data very seriously. The protection of personal data is actually codified in the EU Charter. This is very unlike the hodge-podge scheme of laws (mostly state) in the United States that seek to protect individual data.

It is designed to provide people located in the European Union with greater protection of their personal data and it seeks to punish companies that fail to comply with the rules.

But, the GDPR applies globally. So, even though US companies may not have to abide by strict privacy laws in the US, they will have to abide by the GDPR if they do business in Europe or collect any data from EU citizens (regardless of whether the data is stored outside the EU).

Beyond increasing the scope of data privacy and protection, the GDPR requires stricter conditions for consent. An organization’s request for consent must be given in an intelligible and easily accessible form. More importantly, it must be easy to withdraw consent. Gone are the days when websites could throw thousands of pages of privacy policy up on the screen and ask for your consent (which most of us gave blindly).

The GDPR also requires mandatory breach notifications within 72 hours of the breach. This, obviously, seeks to solve the problem of large companies hiding their data breaches. Wyndham Hotels and Ashley Madison would not be able to lose personal data to the dark web and keep their mouths shut anymore.

Individual users will also have the right to obtain their personal information free of charge. They can learn whether personal data was taken, for what purpose, and where it is being held.

A concept that may seem very foreign (pun intended) to US-based consumers is the “Right to Be Forgotten.” The GDPR entitles “data subjects” to request that the entity controlling their personal data erase all of the data, stop providing that data to third parties and, in some cases, go so far as to require third parties using the data to stop doing so.

Why Should I Care?

That’s a lot of very foreign information for US-based consumers, who have only recently begun learning the extent of how our personal data is shared. You might ask why you need to know or care about the GDPR. And, of course, the answer is money! The GDPR drastically increases penalties for non-compliance (we’re looking at you Facebook and Google).

Under the new regulations, non-compliant companies face strict penalties, which may be up to 4% of the organization’s annual global revenue or €20 million (whichever is greater). Yes, that says greater.

The GDPR solidifies the European Union’s belief that personal data is important and should be private and protected. By reaching beyond the bounds of the EU to enforce personal data regulations, jurisdictions like the United States are forced to sit up and take notice of what the EU believes is a fundamental human right. Hopefully, forcing the US to comply with these stricter data privacy and protection rules will inspire comprehensive privacy legislation on the other side of the Atlantic before Facebook sells our souls!

Meghan Nugent is an associate with SpencePC. She has extensive experience assisting clients in both transactional and litigation matters of all natures. The focus of her practice is Intellectual Property. She also assists the firm’s clients in the prosecution and litigation of trademarks.